Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory Remote Users Prevent Cache Logon

Posted on 2014-03-20
4
Medium Priority
?
520 Views
Last Modified: 2014-03-26
Hello all,
I have been asked to find a solution for securing corporate PC information from access of remote personnel upon their termination, we are using VPN.
Basically, if the business terminates an employee they want to ensure the user will not be able to log in to the Laptop they were issued, and no longer onto the domain. The domain side is the easy part but how would I immediately be able to reach out and secure the machines for these remote users, so they can no longer log in with the cached credentials?
I was told of a way via SCCM that may facilitate but can find nothing related.
Please, any direction and help is appreciated because I do not want to be the next to be released here.

Kry
0
Comment
Question by:kryanC
  • 2
4 Comments
 
LVL 16

Assisted Solution

by:R. Andrew Koffron
R. Andrew Koffron earned 1002 total points
ID: 39943104
just need to set a group policy, and join the machines to the Domain prior to deployment,

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

 Network Access:
Do not allow storage of credentials or .NET Passports for network authentication

if you can recall machines pretty easy plug em in and force a gpupdate.  if they remain external I don't know how to fire it retroactively to external VPN clients I'm not sure, I'd think you'd have to create a local GPO update and a script to download it each machine and fire it locally. I've never had any consistent success getting things to work over VPN.

but going forward just make sure your initial deployment stops cacheing
0
 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 498 total points
ID: 39943510
The above setting will stop cached login for working employees as well in home

Once you disabled user account for terminated user, make sure that you have disabled its mailbox, emails and any other logins (VPN, internet data card etc) it might have immediately

Now even if user is able to login offline with cached credentials, it can't do any thing practically
0
 
LVL 16

Accepted Solution

by:
R. Andrew Koffron earned 1002 total points
ID: 39943612
keep in mind that policy changes need to be made updated by the log in process, so remote machines have already authenticated. when they get to the VPN stage, and If you remove caching, you'll need to set them to use a VPN/Dial-up in order to boot up/login, Prior to logging into the remote machine, and that will ONLY work when their internet connection is on and VPN is up and running, and may render machines completely useless unless each machine has a local profile, and a local profile wouldn't apply a domain Policy.

sort of a catch 22 I don't know a good way around it either.
0
 

Author Closing Comment

by:kryanC
ID: 39956960
Thanks to all. Catch 22 is the best way of illustrating how to force it and kill there ability to work offline at the same time if I want to protect the data.
If anyone has a third party solution or any other ideas I would be interested because the "business" says that they are sure there is such a solution but can't remember what it is.
Thanks again,

Kry
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question